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Abstract 

Counterfactual quantum cryptography (CQC), recently proposed by Noh, is featured 
with no transmission of signal particles. This exhibits evident security advantage, such 
as its immunity to the well known PNS attack. In this paper, the theoretical security 
of CQC protocol against the general intercept-resend attacks is proved by bounding 
the information of an eavesdropper Eve more tightly than in Yin's proposal[Phys. Rev. 
A 82, 042335 (2010)]. It is also showed that practical CQC implementations may be 
vulnerable when equipped with imperfect apparatuses, by proving that a negative key 
rate can be achieved when Eve launches a time-shift attack based on imperfect detector 
efficiency. 

Keywords: quantum cryptography, quantum counterfactuality, quantum information 



1. Introduction 

Quantum key distribution (QKD) GUILS], which is the most prominent application 
in quantum information theory, enables two distant parties, conventionally referring to 
Alice and Bob, to establish a secret key guaranteed by fundamental quantum mechan- 
ics, such as the no-cloning theorem. Since the first QKD scheme was proposed in 1984 
HI, a lot of attention to QKD has be en p ayed both in theoretical and experimental 
areas in these decadesfl El H S 0- ln Most of the schemes, the information 
bits are conventionally encoded into the quantum states, e.g. chosen from two conju- 
gated bases, and then transmitted to Bob in the public channel controlled by a powerful 
eavesdropper Eve. Recently Noh proposed a novel QKD protocol(Noh09 protocol) 



1 1JJ using a striking phenomenon commonly termed as quantum counterfactual effect, 



which is initiated by the idea of interaction-free measurement in quantum computation 



1 12j[13|]. It is exciting that the information particles in his protocol are not transmitted 



via any physical channel, thus, the security is witnessed straightforwardly. 
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In Noh09 protocol, Alice prepares a single photon pulse from two orthogonal states, 
i.e., a horizontally polarized state \H > and a vertically polarized state \V >. The 
pulse is then split into two by a beam splitter. The initial quantum states after the 
BS is written by |0 O( i) >= Vr|0 > a \H(V) > b +i^\H{V) > a |0 > h , where |0 > a(b) 
denotes the vacuum state in mode a(b). In Bob's secure zone, a polarization beam 
splitter (PBS) and optical switch (SW) are applied to block path b according to Bob's 
randomly chosen polarization. Specifically, the sub-pulse in path b is blocked only if 
their polarizations are identical, otherwise it will be reflected back to Alice. Ideally, 
there are three intrinsic events: (E\) Detector D\ clicks, it occurs when the single 
photon is reflected by the BS and their polarizations are identical; (£2) Detector D2 
clicks, it occurs when Bob's polarization is inconsistent with Alice's, or when Bob's 
polarization is identical to Alice's and the photon travels in path a; (£3) Detector D3 
clicks, it occurs when Bob's polarization is identical to Alice's and the photon travels 
in path b. The raw key is generated from part of the instances in event E\. Although 
a simple security analysis against a special intercept-resent attack was presented in 
Noh09 protocol, a more strict one is expected. 

Recently, Zhen-qiang Yin lfl4ll et al. gave a security proof of the counterfactual 
quantum cryptography with the same technique proposed in ref. lfl5ll . In Yin's proposal, 
the security of Noh09 protocol relies on a so-called equivalent EDP (entanglement dis- 
tillation protocol), which is designed to simulate the function of a CQC protocol. Let us 
make a simple review on this EDP. Alice first prepared N pairs of entanglement states 
written by |¥ > A = Jg[|ff > (VT|0 > a \H > h +i^/R\H > a |0 > b ) + \V > ( VF|0 > fl 

\V >b +i \R\ V > a |0 >b)], she reserved half of the particles of the entanglement states 
in her own and transmitted the other half to Bob, after the photons pass through the 
BS. Bob's blocking operation in Noh09 protocol is abstracted by a unitary operation 
which is performed on the pulse in path b. Another unitary is performed on the en- 
tanglement state to check the consistency, the sifted key is generated on the subset of 
the entanglement states for which the consistency holds. Then its security under the 
collective attacks was proved in the rest of the paper, by bounding the phase error rate 
of the quantum states. 

We find that there are some flaws in Yin's proposal with two aspects. First, Eve 
may not try to entangle her ancilla with the intercepted states, since she has no ac- 
cess into mode a, thus she is still unable to get any information about the key even if 
she succeeds in doing this. Note that it is not necessary to entangle her ancilla with 
the intercepted one for the sake of getting more information. Second,the so-called 
equivalence between their EDP and the original protocol needs further consideration, 
ambiguous evidence shows that the outputs from the two protocols differ sometimes. 
In other words, it is expected to give a equivalence proof from the views of Alice, Bob 
and Eve. 

In this paper, we give a more intuitive security proof of CQC against the general 
intercept-resend attacks. The paper is organized as follow: In section [2] the general 
intercept-resend attack is introduced, then an attack model is given. Based on this 
model, the key rate for the ideal protocol is calculated in section[3] In section|4] we in- 
vestigate the practical security of a real- world CQC implementation in a scenario where 
a time-shift attack based on imperfect detectors is performed. At last, a conclusion is 
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drawn. 



2. Modeling the Attacks 

In a conventional QKD scheme, Eve usually performs a unitary operation on the 
intecepted qubits and her ancilla, she will not measure her probes until all the classical 
information is revealed . Thus Eve's attack can be formalized by a unitary operator and 
an optimal measurement operator conditioned on the classical information. However, 
this strategy may not account for a CQC protocol, because information carriers are 
never transmitted via the channel, Eve will always fail to entangle her probe with the 
right qubits. A more intuitive way is to launch a general intercept-resend attack, with 
which Eve may skillfully misleed both Alice and Bob as possible as she can to agree 
with a key on those particles travelling in path b, and corrupt as much as possible the 
instances in event E\ . 

Quantum system is an abstract Hilbert space which includes both actual and Active 
subsystems. We denote the initial quantum state in this abstract space by H A ® H B ® 
H E ® H D , where H A , H B and H E are the subspaces owned by Alice, Bob and Eve 
respectively, and H D is a Active system which describes the measurement results of 
detectors D\, D2 and D3. Then the initial state can be expressed by 



Here \E, xyz > is a Active state where x,y and z denote the measurement results of detector 
D\, D2 and D3 respectively, p and q are variables set in H or V, and the variable e 
denoting Eve's result of measurement takes the value from {Q,H, V}. Let n = 1, for 
simplicity, so that only one-bit key is analyzed, hence EQ.([T]i is changed to 



Before Eve's attack is modeled, it is necessary to define a unitary operator describ- 
ing the behaviors of the original protocol, 



I* 1 > 

= U CQ c\Zxyz > (i ^R\P >a |0 >b + Vf|0 >a \p >b)\q >B V >E 

= {-&{p, q \q=p) i VfflP >a |0 > b \q > B ( Vf|H p oo > + Vfl|Hopo >) (3) 

+ Z{p,q\q=p) Vr|0 > a \p >b \q >B |S 0p > 

+ Vr|0 > a \p > b )\q >b |3 0p o >) ® \e >E ■ 
Eve's attack is now written by another unitary operator Ue acting on the Hilbert space 



|O >= {\E xyz >(i^R\p> a \0>b + 
VT|0 > a \p > b )\q >b \e >e\ 



(1) 



|<5 >= \E xyz > (i y/R\p >„ |0 > b + 
VT|0 > a \p > b )\q >b \e >e • 



(2) 
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H A ® H B ® H E ® H D , 

l<E> out > 

= U E \<S>i > 

= 5 Yj{p,q\q=p) i ^T\P >a |0 >b W >B (X{;c,y,z|;c=p,yUz5iO} Cxyzl^yz > 

1° >e +apool H pOO > 10 > £ ) 

+ 2 Z{p, g | g =|>}( - -K)IP >fl 10 >b \q >B (H 1 {x,y,z\y=p,xUz*0} Q iyz^'xyz > 

10 > £ +a^ |So p o > |0 > £ ) 

+ 2 Z{p, 9 | ? *j,)0' V^IP >a |0 > 6 (Z|x,y,z|xU>.#0,z#0) 0^1 > 10 >£ ' 4 ? 

+a^ 00 l S pOO > 10 > £ +a 3 0p0 \E 0pQ > |0 > E ) 

+ 2 Z{p,q\q=p] VFlO > fl I/? > 6 )|tf > B (a^ 00 |H p0 > I/? >£ 

+a O/J 3 0/>0 > I/ 5 >-B +Q, OOpl 3 OOp > \p >E) 

+ 2 2{p,?l«*J>} >« I/ 5 >&)l9 >« ( a pOol H POO > IP >£ 

+a 'opol :E: 0/ J o > I/? >£ +a^ ? |H 00g > \p >e). 

This model is naturally obtained according to the general intercept-resend strat- 
egy, and five cases need to be focused on: (CI) Alice's polarization is consistent with 
Bob's , Mode b is in vacuum and detector D\ is supposed to click. In this case, Eve's 
attack renders at least two detectors click at the same time, this explains the term 
Z( w |x=p, y uz#0) alyzl^xyz > 10 >e, the other term o^ 00 |H p0 o > |0 > E represents the 
probability of those uncorrupted events. In particular, |0 >£ denotes the state when Eve 
gets nothing about the key. (C2) Alice's polarization is consistent with Bob's, mode 
b is in vacuum and detector D2 is supposed to click. Eve's attack is then presented 
in the term Ti{x,y,z\y=p,xuz*o\ a %z\^vz > 10 > e- (C3) Alice's polarization is inconsis- 
tent with Bob's, mode b is in vacuum and detector D2 is supposed to click, similarly, 
Ti{x,y,z\xuy±o,z*0) a xyz\^yz > |0 >£ describes the events in which at least two detectors 
click simultaneously, a^ 00 |H ; ,oo > |0 >e or aj^ |Eo p o > |0 >e tells that detector D\ or 
D2 clicks. (C4) Alice's polarization is consistent with Bob's, mode b is non-vacuum 
and detector D3 is supposed to click. In this case, it is possible for Eve to compromise 
the key, as the term a 4 pQQ \z.poo > \p >e says, the explanation to a^ Qp \EoQp > \p >e is that 
Eve needs to probe Bob's polarization sometimes to adjust her following interceptions. 
(C5) Alice's polarization is inconsistent with Bob's, mode b is non-vacuum and detec- 
tor D2 is supposed to click. It is similar with the case C4 except that Eve is unable to 
get any information from her results in this case. 

We must point out that this formalization is general, or is valid for any intercept- 
resend attack in other words, because the coefficients \a' xyz \i = 1, 2, 3, 4, 5} are arbitrary. 
In the next section, we will bound Eve's information based on this model, and give a 
more rigorous key rate of CQC under the condition that all the quantum apparatuses 
are perfect. 

3. Theoretical security against general intercept-resend attacks 

In a security proof of conventional quantum key distribution schemes, such as BB84 
protocol, security definition is important and an asymptotic security is ultimately con- 
cluded as a function of the length of the quantum sequence. In this paper, the infinite- 
length security rather than an asymptotic one is investigated. 
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Suppose all the quantum apparatuses are perfect, especially the detectors, of which 
the efficiency rj reaches 1 and the dark counter rate pd is set to zero, any event in which 
more than one detectors click is definitely absent, because it implies the existence of 
an eavesdropper Eve. Thereby the model is simplified after fixing the terms as {a 1 = 
0\x = p,y U z * 0), \a\ yz = 0\y = p, x U z * 0} and {a 3 xyz \z U y * 0,z + 0). Then one 
obtains 

l«J> out > 

= f/filOj > 

= 3 ^[p,q\q=p\ ' ^RT\P >a |0 >b Itf >B oljEpOO > |0 > E 
+ 2 Ij[p,q\g=p}(- R )\P >a |0 >b l<? >B Cl\ „ l S 0p0 > |0 >£ 



+ 2 2j{/;, 9 | 9 #p)( ! V#lp > a |0 > A (o^olHpoo > 10 >£ 



(5) 



-rj Z{p, q \q=p) V^O > fl |/> > h )\q > B (a^JZpOQ > \p > E 

+a Opol s OpO > \p >e +a^ 0p \E 00p > Ip >e) 

+ 3 Y*{p,q\q*p) V^IO >a IP >fc)l9 >B ("pool 2 /' 00 > ^ >£ 

+Q, 0/J S <V0 > |p >£ +a^ 0? |H o 9 > |p >e). 

This model is correct, for instance in the ideal case where there is no eavesdropper one 
may obtain 

Pd, = f , (6) 
p Dl = f + i, (7) 
Pzj 3 = 3, (8) 
p' = P 2 = p' = 0. (9) 

Note that any pair of inconsistent measurement results of Alice and Bob indicates 
an error bit, it is easy to confirm six important parameters which are crucial to bound 
Eve's information I AE , 

P* = f Kool 2 + fl^ool 2 + WpJ + fKool 2 - (10) 

PD 2 = f l< | 2 + f l<ol 2 + lKpo\ 2 + 1 1<0| 2 ' (ID 

Pd 3 = §(I<)/+<A (12) 

P< = § Kool 2 + IKool 2 ' d3) 
P 2 = 0, (14) 

P, 3 = |l«oo/- d5) 

Now the key rate, as well as the bound of Eve's information, can be given by the 
following theorem, 

Theorem 1 For a given observable probability distribution \P Dl , P Dl , P Dj } and 
the error rates P\ ,P? and Pi, the mutual information between Alice and Bob is I AB = 



Po,[l _ Kj^-)], an d between Alice and Eve is I AE = (f + p\ - Pd 3 W, hence the 
infinite-effect key rate is 
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Figure 1 : Theoretical key rate of CQC as a function of Pp. 



m = Iab - Iae = PDi 



i^pl 



■ po 3 )R- p* D h(—). 

PDi 



Proof: See Appendix A 



(16) 



So far we have proved the security of CQC against the general intercept-resend 
attacks in the context that quantum apparatus works according to its specification. As 
we can see in Eq. ( TTBT l. the key rate is inherently bounded by the probabilities of events 
Ei, E2 and £3, and the error rates in event E\ and £3 ( Eve's attack does not affect 
event E%, seeing from Eq.([T4li). This coincides with the real situation in the sense that 
any abnormal probability distribution or a relatively high error rate in one of events 
immediately implies the existence of an eavesdropper. Also note that any protocol is 
secure only if it satisfies > 0. Fortunately, as shown in Fig[T] a positive security key 
rate can be achieved when the error rates in event E\ and £3 are small enough and the 
probability distribution is not far from normal, i.e., po, = RT/2, po^ = R 2 12 +1/2 and 
Pd, = Til. 



4. A time-shift attack in practical CQC system 

We have been reminded that imperfect detectors can be the loophole in practical 
QKD systems flfill . several elaborately conceived attacks can be applied to crack the 
whole system without the detection 11171 Unfortunately, such problem also 

exists in practical CQC implementations. In this section, it will be showed that practical 
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CQC systems are vulnerable to device imperfections by an example of a time-shift 
attack based on imperfect detector efficiency. 

Due to the dark counter rate, two or three detectors might click simultaneously, this 
event is denoted by £4. Assume that Eve is as powerful as only constrained by quantum 
physics. Naturally, she must lower the probability Pe 4 to make herself undetectable, 
thus it should satisfy 

P Ei ^ 2P d , (17) 



i.e., 

_ _ gy 1 , & v n 2 

PDA— 2 2j{.v,v,z|.v=p,vUz#0) "xyz 2 Zj\x,\,z\\=p,xUz40) u xyz nc\ 
j- R V J <-7p ' ' ' 

2 Zj(jy,z|.iUy#0,z#0} "xyz z - r d- 

Event £4 is advantageous to Eve, yet as being bounded by dark counter rate, the cor- 
rupted information seems trivial, otherwise Eve takes high risk being detected. Lemma 
1 . 1 gives the maximal corrupted information by Eve. 

Lemma 1.1 For a given dark counter rate p d of the detector, the maximal corrupted bit 
rate is obtained by 

W = {T+ DPj + [p Dl -<T+ l)P d ]h( — ) - PdM—1 d9) 

p Di -(T+ \)P d p Dl 



Proof: See Appendix B 



Another important parameter of the detector is the efficiency 77, which brings the 
risk: Eve may artificially manipulate her device to lower the efficiency r\, in order to 
pass the test with a greater probability. To compromise the key, Eve has to probe Bob's 
polarization by sending fake photons, then these photons are unlikely to be caught by 
detector D3 if the efficiency of detector D3 is low enough. Therefor Eve is able to 
control an imperfect detector simply by using an optical delay, i.e., she may launch a 



time-shift attack [18]to artificially lower the efficiency to an acceptable level, due to 
the distinguishability between the real efficiency function (refer to Figj2) and the ideal 
one. This evidently causes an increment on the mutual information between Alice and 
Eve, demonstrated by Lemma 1 .2. 

Lemma 1.2 Given a prior fixed detector efficiency r| , the increment of the mutual 
information between Alice and Eve is 

A 1 ae = ——^(Pd, - pl)R- (20) 



Proof: See Appendix C 



Combined with Lemma 1 . 1 and Lemma 1 .2£the total of the reduced information 
ntk is immediately obtained by a sum of the two, 

A m k = y cmax + &r\ E . (21) 

So the key rate under a time-shift attack is changed to 

m k -nik- hmk. (22) 
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Figure 3: The key rate under a time-shift attack. 
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Figure 4: security key rate under time-shift attack as functions of Pd x and Pd 3 , comparing to the ideal one. 

As shown in Fig[3j a negative security key rate can be achieved. Consequently, Eve 
can obtain full information about the key even if > 0. A 3-D illustration of the key 
rate as functions of Po, and Pr> 3 is showed in Fig|4]for a better understanding of this 
conclusion. Since there may be , for most of the QKD protocols, unexpected difficulties 
when we try to fill the gap between the ideal model and a realistic implementation to 
a negligible level at present, it is expected that more applicable CQC protocols are 
required in the future. 



5. Conclusion 

We have proved the security of counterfactual quantum cryptography against gen- 
eral intercept-resend attacks, by modeling it with two unitary operations, which are ab- 
stracted from Noh09 protocol and the attack strategy respectively. Note that collective 
attacks in conventional QKD protocols do not account for CQC equally, yet intercept- 
resend attack seems to be more advantageous to the eavesdropper. Intuitively, Eve may 
corrupt the key-to-be events and mislead the key generation. The protocol is proved 
to be secure against such attacks in the context that quantum apparatuses are perfect, 
then the security key rate is bounded by the probability distribution and the error rates 
of three intrinsic events. Our result is complementary to the one in Ref . 11411 . in which 
the error rate in events D3 is not involved in the conclusion. Also note that Eve's attack 
not only alters the probability distribution, but also introduces errors, thus, our proof 
coincides with the real situation more smoothly. Being demonstrated by the example of 
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a time-shift attack, it is also showed that practical CQC implementation is vulnerable 
to imperfect quantum apparatuses, this opens another problem how to put forward a 
secure CQC system in real life. 
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Appendix A. 

Theorem 1 For a given observable probability distribution {Po { , Pd-, > Pd 3 ] and 
the error rates P\ ,P\ and P\, the mutual information between Alice and Bob is I A g - 

p Dl W - h(-^-)], and between Alice and Eve is I AE = (j + pi - Pd 3 )R, hence the 
infinite-effect key rate is 



P ] 

m k =I AB -I AE = P Dx [l-h(-^)}. (A.l) 

Pd, 

Proof. To proof Theorem 1 , we start with Eq. (|5) and fix an important parameter a^ 00 , 
which is given by the unitarity of U E shown below 

l<J 2 + l<ol 2 + l<*oopl = l- (A.2) 
According to case (C4), which is the only one Eve can be successful in, when the fake 
photon transmitted by Eve is received by Alice, the probabilities for the two probabili- 
ties are immediately set by the BS, 

\<*U\ 2 /\a 4 0p f/=R/T, (A3) 

combine with Eq. ( fT3] >, ( fT31 >, ( fT8l and d20l >, we obtain 



= ( +Pl-P D} )R. (A.4) 



With the binary shannon entropy function, Eve's information I AE is therefor bounded 
by 

I AE = 7(p:«|Di = l,C4 = l) 

= p(E 1 = l,C4 = l)[l-h(p(e\p)] 

= p(E 1 = l,C4 = l), (A.5) 

= IKoo 

= (l) + Pl-P D} R, 

where E\ = 1 denote that detector D\ clicks , C4 = 1 means that Eve confirms that 
case C4 is occupied, and h(x) = -x log x — (1 - x) log(l - x) is the binary Shannon en- 
tropy function. Obviously, Eve obtains no information when po 3 is normal and there is 
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no error in event £3. Thereby it is natural to obtain that Iae — if Pd } = 7 and Pi = . 



To bound the mutual information between Alice and Bob, i.e., Iab , let us first find 
the QBER defined by OBER = p ! error \ , which is different with the one in conventional 

J *^ p(amve) 

QKD schemes. Since only event E { is useful for the key generation, the QBER can 
be equalized to the error rate for event E\, thus, the actual QBER for CQC protocol is 
obtained by 



Pi 

QBER Dl=l = p{error\D x = 1) = (A.6) 

I'd. 



With the similar technique of bounding Eve's information in APPENDIX Appendix A 
we can obtain Iab 



I AB I(q : p\Di = 1) = p Di [1 - h(QBER Dl=1 )], (A.7) 
where QBERo i = \ is given by Eq. dA.6t . 

In particular, we could, from Eq. (IA.7K obtain Iab - given QBERd\=\ = 0. This 
is consistent with the result for the ideal case. Now the key rate is naturally obtained 
by 

ntk = Iab - Iae 

= P d ,-(^+P]-P Di )R-P d Mtd)- 
This concludes the proof. 



Appendix B. 

Lemma 1.1 For a given dark counter rate pd of the detector, the maximal corrupted 
bit rate is obtained by 

(T + l)P d + [P Dl -(T+ l)P d ] 

p' p< (B 1) 

*h( PD _^ +1)Pd )-P Dl h(-^). 

Proof. Before we start the proof, a discussion about Eq.(|4) is presented. It is shown 
that Event £4 occurs only when mode b is in vacuum, and Eve cannot distinguish Cases 
CI , C2 and C3, her corruption to the key-to-be events in case CI absolutely affects the 
other two. It is not difficult to find that the effect to the three cases is supposed to be 
the same as a result of Eve's corruption, then we obtain 



~L{x,ydx=P,y{JZ*0} \ a xyz\ ~ ^{x,y,z\y=P,*{J:M} \ a xy Z \ 
- L{x,ydx\jy*0,z*0}\ a xyz\ • 

To reach the maximum, the total probability for event £4 is set to be 



(B.2) 



P Ei = 2P d . (B.3) 
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From Eq.(l4li.( lB~2"l i and iB.3i , the following expression can be confirmed 



Z{ W |j=/>o>Uz*0} \ a xyz\ ~ Z{x,y,z\y=p,x(jz±0}\ a xyz 

j{x,y,z\xljy*0,z*0} 



ZfoulxU y#0^0) IQ'atzI 2 (B-4) 



- |i d- 

In addition, from theorem 1 the mutual information between Alice and Bob when 
the corruption occurs is 

Iab -P r D'^-h(^0)l (B.5) 

where P^" 1 denotes the real probability for event E\ and P\ real is the corresponding 
error rate. Next, we consider the ideal case, correspondingly, the two parameters are 
changed to 



preal pideal f RT y 1^112 

Z>i ~ D\ K 2 Mx,y,z\x=p,yUz*0) \ a xyz' 

+ 2 ^{x,y,z\x<Jy*0,z±0)\ a xyz\ )> 



(B.6) 



^"ddeoi _ Cereal- O-T) 

Explanation to Eq.( IB.6l ) follows: It is assumed the term X{a',v,<|a'Uv*o,z#0) \g%, z \ 2 only 
affects |a^ 00 | 2 and cares nothing about la^l 2 , since it is advantageous to Eve. Similarly, 

§ Ti{x,y,z\xuy*o,z*0) \ a xyz\ 2 should not affect lo'pool 2 - Now the mutual information for the 
ideal case is given by 

I Mea l = p ^ l[l _ h{ ^ )] (B8) 

Combined with Eq. flB.4| ),( lB.5| ),( lB.6T ) and dB.7| ), the total corruption rate y cmax defined 

jideal jreal 

AB AB 



by y C max = I'fn' 1 - ITS' is bounded, i.e., we have 



_ jideal _ jreal 
Ycmax - 1 AB l AB 

= (T+l)P d 



+ [ pideal _ (T+ l) Pd ]h( pr ^ 1)p ) (B.9) 

' n. 



Substituting p'^ aI and P\ ideal with P Di and P\ completes the proof. 



Appendix C. 

Lemma 1.2 Given a prior fixed detector efficiency r\ , the increment of the mutual 
information between Alice and Eve is 



M n AE =^-(P D3 -Pl)R. 



'AE-— V**» -*«/«. (CD 
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Proof. Note that Eve performs a time-shift attack to control the timing of the detector 
indirectly. In this case, the efficiecny is lowered, thereby the probability for event £3 is 
reduced to 

Pm = Wof- (C-2) 
P 3 , and P 3 . , , are defined to denote the probability for the real case and the ideal 

ereal eideal r J 

case respectively. Similarly, the error rate for event £3 is 

Plreal = Eideal' ( C - 3 ) 

From Theorem 1 , one immediately obtains 

I%<" = (L + Pl ideal -P%f)R. (C.4) 
Similarly, Eve's information in a real case is given by 

Now combined with Eq. (lC.2l >, (IC.3b and iCAi , the increment of the total information 
of Eve defined by hl\ E = P A f - if/ is 

Substituting the labels P'™' and P\ real with P Di and P 3 completes the proof. 
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